/*
 * HSM Proxy Project.
 * Copyright (C) 2013 FedICT.
 *
 * This is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Lesser General Public License version
 * 3.0 as published by the Free Software Foundation.
 *
 * This software is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this software; if not, see 
 * http://www.gnu.org/licenses/.
 */

package be.fedict.hsm.model;

import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.cert.Certificate;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;

import javax.annotation.Resource;
import javax.annotation.security.RolesAllowed;
import javax.ejb.EJB;
import javax.ejb.Local;
import javax.ejb.SessionContext;
import javax.ejb.Stateless;
import javax.persistence.EntityManager;
import javax.persistence.PersistenceContext;

import org.apache.commons.codec.binary.Hex;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jboss.ejb3.annotation.SecurityDomain;

import be.fedict.hsm.entity.ApplicationEntity;
import be.fedict.hsm.entity.ApplicationKeyEntity;
import be.fedict.hsm.entity.ApplicationKeyId;
import be.fedict.hsm.entity.AuditEntity;
import be.fedict.hsm.model.security.ApplicationRoles;
import be.fedict.hsm.model.security.ApplicationSecurityDomain;

@Stateless
@SecurityDomain(ApplicationSecurityDomain.NAME)
@RolesAllowed(ApplicationRoles.APPLICATION)
@Local(SignatureService.class)
public class SignatureServiceBean implements SignatureService {

	private static final Log LOG = LogFactory
			.getLog(SignatureServiceBean.class);

	private static final Map<String, String> digestMethodToDigestAlgo;

	static {
		digestMethodToDigestAlgo = new HashMap<String, String>();
		digestMethodToDigestAlgo.put("http://www.w3.org/2000/09/xmldsig#sha1",
				"SHA-1");
		digestMethodToDigestAlgo.put("http://www.w3.org/2001/04/xmlenc#sha256",
				"SHA-256");
		digestMethodToDigestAlgo.put("http://www.w3.org/2001/04/xmlenc#sha512",
				"SHA-512");
	}

	@Resource
	private SessionContext sessionContext;

	@PersistenceContext
	private EntityManager entityManager;

	@EJB
	private KeyStoreSingletonBean keyStoreSingletonBean;

	@Override
	public byte[] sign(String digestMethodAlgorithm, byte[] digestValue,
			String keyAlias) throws NoSuchAlgorithmException {
		LOG.debug("digest method algorithm: " + digestMethodAlgorithm);
		LOG.debug("key alias: " + keyAlias);
		Principal callerPrincipal = this.sessionContext.getCallerPrincipal();
		LOG.debug("caller principal: " + callerPrincipal.getName());
		LOG.debug("caller in role application: "
				+ this.sessionContext
						.isCallerInRole(ApplicationRoles.APPLICATION));
		long appId = Long.parseLong(callerPrincipal.getName());
		ApplicationKeyEntity applicationKeyEntity = this.entityManager.find(
				ApplicationKeyEntity.class, new ApplicationKeyId(appId,
						keyAlias));
		if (null == applicationKeyEntity) {
			throw new NoSuchAlgorithmException("unknown key alias: " + keyAlias);
		}
		String keyStoreAlias = applicationKeyEntity.getKeyStoreKeyAlias();
		long keyStoreId = applicationKeyEntity.getKeyStore().getId();
		String digestAlgo = digestMethodToDigestAlgo.get(digestMethodAlgorithm);
		if (null == digestAlgo) {
			throw new IllegalArgumentException(
					"unsupported digest method algo: " + digestMethodAlgorithm);
		}
		byte[] signatureValue;
		try {
			signatureValue = this.keyStoreSingletonBean.sign(keyStoreId,
					keyStoreAlias, digestAlgo, digestValue);
		} catch (Exception e) {
			LOG.error("signature error: " + e.getMessage());
			return null;
		}

		AuditEntity auditEntity = new AuditEntity(applicationKeyEntity
				.getApplication().getName(), keyAlias, applicationKeyEntity
				.getKeyStore().getName(), keyStoreAlias, new String(
				Hex.encodeHex(digestValue)));
		this.entityManager.persist(auditEntity);

		return signatureValue;
	}

	@Override
	public Set<String> getAliases() {
		Principal callerPrincipal = this.sessionContext.getCallerPrincipal();
		LOG.debug("caller principal: " + callerPrincipal.getName());
		long appId = Long.parseLong(callerPrincipal.getName());
		LOG.debug("getAliases for app id: " + appId);
		ApplicationEntity applicationEntity = this.entityManager.find(
				ApplicationEntity.class, appId);
		List<ApplicationKeyEntity> applicationKeys = ApplicationKeyEntity
				.getApplicationKeys(this.entityManager, applicationEntity);
		LOG.debug("number of aliases: " + applicationKeys.size());
		Set<String> aliases = new HashSet<String>();
		for (ApplicationKeyEntity applicationKey : applicationKeys) {
			String alias = applicationKey.getName();
			LOG.debug("alias: " + alias);
			aliases.add(alias);
		}
		LOG.debug("aliases: " + aliases);
		return aliases;
	}

	@Override
	public Certificate[] getCertificateChain(String alias)
			throws NoSuchAlgorithmException {
		Principal callerPrincipal = this.sessionContext.getCallerPrincipal();
		LOG.debug("caller principal: " + callerPrincipal.getName());
		long appId = Long.parseLong(callerPrincipal.getName());
		ApplicationKeyId applicationKeyId = new ApplicationKeyId(appId, alias);
		ApplicationKeyEntity applicationKeyEntity = this.entityManager.find(
				ApplicationKeyEntity.class, applicationKeyId);
		if (null == applicationKeyEntity) {
			throw new NoSuchAlgorithmException("unknown key alias: " + alias);
		}
		String keyStoreAlias = applicationKeyEntity.getKeyStoreKeyAlias();
		long keyStoreId = applicationKeyEntity.getKeyStore().getId();
		Certificate[] certificateChain = this.keyStoreSingletonBean
				.getCertificateChain(keyStoreId, keyStoreAlias);
		return certificateChain;
	}
}
